Making Clouds Less Ominous

Submitted by Steve Kolowich on August 12, 2011 - 3:00am

A group of 12 high-profile research universities is currently negotiating with commercial e-mail providers to create a standard contract that would reduce the costs and anxieties associated with outsourcing the handling of sensitive institutional data to cloud-based vendors.

If successful, the talks could pave the way for universities to move other types of data to the cloud — a migration that has been stalled by persistent concerns among institutions that are worried about putting sensitive university data on non-university servers, campus technology officials say. The discussions might also provide a model for other joint contracts between universities and technology vendors.

Companies that run university e-mail systems negotiate individual contracts with their various clients. These negotiations often involve haggling over whether the company can provide its services in a way that does not put the university at risk of violating state and federal laws — as well as its own policies — regarding privacy, data security, accessibility, and other matters.

“Every time we go to vendors, we start those conversations anew — it’s like Groundhog Day,” says James Hilton, the CIO of the University of Virginia, one of the institutions involved in the talks. “It’s inefficient on their side, and it’s inefficient on our side.” The idea behind the group push for a standard contract is to “aggregate some of our terms and needs upfront and just do it once,” Hilton says.

According to campus officials, the 12 universities have been hammering out the details of a possible standard contract with cloud-based e-mail vendors for the last year or so. The universities at the table include Virginia, Duke University, and 10 other “premier research universities,” says Hilton. (The effort grew out of conversations among members of the Common Solutions Group[1], a consortium that includes six universities from the Ivy League and five from the Big Ten.) On the vendor side, Microsoft, the second-largest e-mail provider for colleges and universities, confirmed that it is involved in the talks. The largest provider, Google, would not comment.

The most salient concerns around outsourcing to cloud providers — compliance with the Family Education Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Americans With Disabilities Act (ADA), and other laws — are common to many colleges and universities. A standard document addressing those concerns could allow institutions and cloud-based vendors to check off compliance issues with a single stroke, eliminating many billable hours on both sides of the negotiating table, says Tracy Futhey, the CIO at Duke.

“There’s not necessarily a single answer that fits all [institutions’] needs uniformly,” Futhey says. “But there are, we’ve found out through this process, a core set of expectations and requirements for moving to these externally hosted systems.”

Storing data with cloud providers is often less expensive than housing it on university servers. Companies such as Google and Microsoft sometimes even offer to host data on their own services free of charge, as they currently do with student e-mail systems.

But institutional hand-wringing over how universities can protect institutional data while placing them in the care of an outside company has dictated the pace at which campus officials have moved various data-rich systems to the cloud. Information protected by FERPA and HIPAA is less likely to go through student e-mail systems; accordingly, more than half of institutions have already outsourced student e-mail to Google or Microsoft, according to the Campus Computing Project. By contrast, only 15 percent of institutions have moved faculty and staff e-mail to the cloud, and nearly two-thirds say they have purposefully decided not to do so. Universities also have tended to keep faculty research data close at hand, since they can contain personal information about research subjects, such as Social Security numbers or confidential medical records.

“When the data is in an institution, we can protect [those data] ourselves,” says Futhey. “But when we take someone’s private health information and give it to a third party to hold, it is incumbent upon us to make sure that a third party has the appropriate protections in place.”

A positive outcome to the negotiations over e-mail could make universities more comfortable unloading some of those more sensitive data environments into the cloud, campus officials say. “If you can solve policy and compliance issues that outsourcing faculty and student e-mail raises, then you have, in principle, solved them for almost everything,” says Hilton.

Futhey, the informal leader of the university group, says that some of the more difficult issues in the negotiations have been “around the communication around breaches, notification, [and] liability” in the case of a breach. If a university server gets hacked and sensitive data are exposed, it is clear that the university is at fault; if a Microsoft server gets hacked and sensitive university data are exposed, things get more complicated, Futhey says.

Another issue has been where, geographically, the university data end up, she says. When a university outsources data storage to “the cloud,” those data actually get sent to servers somewhere in a company’s network of server farms — some of which are located in foreign countries. Some universities involved in the negotiations need to keep their data in the United States, Futhey says.

Still, Futhey says she is optimistic that the two sides will find enough common ground to produce a document that could eliminate redundancy in future negotiations between universities and commercial cloud providers. “I think we’re getting down to questions of [whether] what vendors are able to provide is something universities are willing to contract for,” she says. “I think we’re in the closing period.”

At the same time as these 12 universities have been collaborating behind closed doors, a broader discussion about the need for greater collaboration among technology buyers in higher education has been going on in a more public forum. Universities need to stand together if they wish to avoid being pinned under the thumb of technology companies, Bradley Wheeler, the CIO at Indiana University, recently told his colleagues.

In the wake of last week’s merger[2] between higher education’s two largest software companies, Datatel and SunGard Higher Education, Wheeler sparked a discussion on an Educause listserv when he pointed out that while companies that sell technology to universities have consolidated, the community of university technologists negotiating with those companies has remained atomized, to the peril of institutional budgets.

While this does not quite apply to institutional e-mail, corporate consolidation in scholarly publishing, learning-management systems (LMS), and enterprise resource planning systems (ERP) has allowed companies to hold institutions “over a barrel” on annual licensing fees, Wheeler explained in an interview with Inside Higher Ed. “There’s been lots of aggregation over the years on the sell side, and the buy side has remained very fractured,” he says.

The situation has left universities in a lousy negotiating position, Wheeler says. “We face a decade that’s going to have vastly reduced resources for higher education,” he says. “And we really have to be prudent in taking care of our buy-side interests.”